Some of this will be improved once user namespaces land in Docker, but
until then being able to run as uid 0 (root) inside a container is
basically giving your users access to run as root on the host machine.

Was this supposed to land in the last 1.9?

I must say, these restrictions are a real pain when it comes to docker images like nginx...